RAT-based malware is being spread through trojanized gaming tools distributed via browsers and chat platforms, according to Microsoft Threat Intelligence. Researchers say threat actors are using a staged downloader to deploy a Java-based remote access trojan while actively evading detection mechanisms
“A malicious downloader staged a portable Java runtime and executed a malicious Java archive (JAR) file named jd-gui.jar,” the Microsoft Threat Intelligence team said in a post on X. “This downloader used PowerShell and living-off-the-land binaries (LOLBins) like cmstp.exe for stealthy execution.” The attack chain deletes the initial downloader and configures Microsoft Defender exclusions to protect RAT components. Persistence is established through a scheduled task and a Windows startup script named “world.vbs” before deploying the final payload. The malware is described as a multi-purpose threat that functions as a loader, runner, downloader, and RAT. Once active, it connects to an external server at 79.110.49[.]15 for command-and-control communications, enabling data exfiltration and additional payload delivery.
Users are advised to audit Microsoft Defender exclusions and scheduled tasks, remove malicious tasks and startup scripts, isolate affected endpoints and reset credentials for accounts used on compromised systems. Meanwhile, BlackFog has revealed a new Windows RAT family named Steaelite, first advertised on criminal forums in November 2025 as a “best Windows RAT” with “fully undetectable” capabilities. The malware supports Windows 10 and 11 and combines data theft and ransomware into a single web panel, with an Android ransomware module in development.
Steaelite includes tools for keylogging, client-to-victim chat, file search, USB spreading, wallpaper modification, UAC bypass and clipper functions. It can disable Microsoft Defender, remove competing malware and install persistence mechanisms. Its capabilities include remote code execution, file management, live streaming, webcam and microphone access, password theft, location tracking, DDoS attacks and VB.NET payload compilation. “The tool gives operators browser-based control over infected Windows machines, covering remote code execution, credential theft, live surveillance, file exfiltration and ransomware deployment from a single dashboard,” security researcher Wendy McCague said. Researchers have also identified DesckVB RAT and KazakRAT, with KazakRAT suspected to target Kazakh and Afghan entities since at least August 2022.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
